Does it have this function?I just want to only analyze http packages.And Does it can reduce capture loss rate via analyzing less packages? Thanks a lot.
Does it have this function?I just want to only analyze http packages.And
Does it can reduce capture loss rate via analyzing less packages? Thanks a
It kind of depends on what you mean. There are basically two approaches that can be used to limit yourself to only http.
First - you can use BPF filters to limit the traffic that Zeek sees. So - you can e.g. get Zeek to only analyze port 80 traffic by PacketFilter::default_capture_filter setting to (ip or not ip) and (tcp port 80) or similar.
If you do this you will miss http traffic on ports different from 80 though.
The other alternative is to not load scripts that do non-http analysis. You can e.g. do that by starting zeek in bare mode (passing -b on the command line, or setting zeekargs/broargs to -b). You then have to set your local.bro to load the protocol analyzers that you want manually - in your case you would probably need
which should only give you http.log. All other traffic will still be seen by Zeek, but no protocol analysis will run on it.
If you want conn.log, you also need
Both of these approaches will speed Zeek up - the first one more than the second one. However they both are no golden bullets - and you will not get as much data as you did before.
I hope this helps,
Thanks Johanna. Learning about the bug which is fixed in 2.6.4 is really helpful.
I would like to utilize the OpenSUSE build service to install/upgrade 2.6.4 but going to OBS from the zeek.org/download points me to v3.0.0 for Debian 10. How do I access the v2.6.4 package for Debian 10? (I am not ready to upgrade to 3.0. I want to give it some time for the bugs to shake out.)
And just for reference - Zeek downloads moved to Install package security:zeek / zeek / Show security:zeek / zeek - openSUSE Build Service